I have an secured API student API which I am able to access via OAuth2.0 client credentials flow which creates an access token using IConfidentialClientApplication app and accesses secured app.
Now comes to access the secured API using OAuth 2.0 Resource Owner Password credentials. I have mostly used the code in microsoft github page.
https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2
I am able to sign in using username and password, able to generate access token as well. But this access token is not able to access my secured student API. Though the sample code is able to access the Microsoft graph API, it is not able to access my secured API.
I tried to allow public client flow for my secured student API as well and decrypted both the access tokens to see the difference. There is a lot of difference. What I noticed here is in ROPC flow are using IPublicClientApplication where I am not able to give the ResourceId while acquiring token. So "aud" is different in ROPC token and other fields as well. Can anyone tell where I may be going wrong or how to fix the above scenario?
I think you may need to perform these 2 steps to get a token valid for your own API:
See step 6 of my Azure AD Blog Post for how this looks. The article also explains some token differences.